allowing scripts in csp24.07.2023
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.
<meta http-equiv="Content-Security-Policy" content="script-src 'self'" />
This meta tag prevents inline scripts from executing. Your site is more secure because of it. This is great. But say you want to run your own code or you have a script that comes from a trusted source. How can we allow it to run?
Here’s what we need to do.
- With the
- Paste the code / URL into the appropriate input (“External source of script/style” / “Inline scripts/styles”, respectively)
- The generator will calculate the hashes and give you three strings for
sha512. I took the
sha256version and added it to the
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-hash-from-generator'" />